Skip to content

Approval gates

Approval gates bind a reviewed Automax plan to a JSON approval file. Operators can create an approval after reviewing the same job, inventory, vars and selector inputs that will later be executed.

Approval files are intentionally secret-free. Create them without --secrets; runs can still pass --secrets later because approval verification compares the secret-free review surface.

Create an approval

automax approval create \
  --job job.yaml \
  --inventory inventory.yaml \
  --vars vars.yaml \
  --approved-by change-1234 \
  --reason "Approved maintenance window" \
  --expires-at 2026-06-30T23:00:00Z \
  --output approvals/change-1234.json

The approval file records:

  • approver identity;
  • approval timestamp;
  • optional expiry timestamp;
  • optional reason or ticket reference;
  • SHA-256 digest of the secret-free operator review;
  • short review summary.

Verify an approval

automax approval verify \
  --job job.yaml \
  --inventory inventory.yaml \
  --vars vars.yaml \
  --approval approvals/change-1234.json

Verification fails when the selected plan, inventory, vars, filters or tags no longer match the reviewed content. It also fails after expires_at.

Run with an approval gate

automax run \
  --job job.yaml \
  --inventory inventory.yaml \
  --vars vars.yaml \
  --secrets secrets.yaml \
  --approval approvals/change-1234.json

The run verifies the approval file before execution. Dry runs do not require approval verification, so operators can still preview changes before asking for sign-off.

Operator workflow

A typical change workflow is:

automax review --job job.yaml --inventory inventory.yaml --vars vars.yaml --output review.md
automax approval create --job job.yaml --inventory inventory.yaml --vars vars.yaml --approved-by change-1234 --output approval.json
automax approval verify --job job.yaml --inventory inventory.yaml --vars vars.yaml --approval approval.json
automax run --job job.yaml --inventory inventory.yaml --vars vars.yaml --secrets secrets.yaml --approval approval.json

Keep approval files with the release or change record when the environment requires auditable operator sign-off.